2.3.1

sbt-pgp 2.3.1 is cross published to:

sbt Version	Published
1.x	✅
2.0.0-M2	✅
2.0.0-M3	✅

updates

• deps: Update Bouncy Castle to 1.78.1 by @urwithsumit in #216
  • CVE-2024-30172
  • CVE-2023-33201
  • CVE-2024-29857
  • CVE-2024-30171
  • CVE-2023-33202

behind the scene

• refactor: Use Iterator instead of deprecated Stream by @xuwei-k in #215
• ci: setup-sbt by @eed3si9n in #217
• ci: Use sbt 1.10.6 for sbt 1.x scripted tests by @eed3si9n in #218

new contributors

• @urwithsumit made their first contribution in #216

Full Changelog: v2.3.0...v2.3.1

2.3.0

sbt-pgp 2.3.0 is cross published to:

sbt Version	Published
1.x	✅
2.0.0-M2	✅

sbt 2.x migration

• Adds Scala 3 build setting for gpg-library by @xuwei-k in #208
• Cross build to sbt 2.x by @eed3si9n in #214
• Prepare Scala 3, sbt 2 build by @xuwei-k in #205
• Uses slash syntax in test. prepare sbt 2 by @xuwei-k in #213

behind the scenes

• Remove unused imports by @xuwei-k in #212
• Delete scala-sbt-0.13/Compat.scala by @xuwei-k in #206
• Avoid deprecated java.net.URL constructor by @xuwei-k in #204
• Update specs2 by @xuwei-k in #207
• Add dependabot for github-actions by @xuwei-k in #209
• Bump actions/setup-java from 3 to 4 by @dependabot in #211
• Bump actions/checkout from 3 to 4 by @dependabot in #210
• Readme by @eed3si9n in #201
• Fix typo in readme by @SethTisue in #202

new contributors

• @SethTisue made their first contribution in #202
• @dependabot made their first contribution in #211

Full Changelog: v2.2.1...v2.3.0

2.2.1

bug fix

• Pass in --yes to GnuPG CLI during signing by @eed3si9n in #200

behind the scene

• Update CI by @eed3si9n in #198

Full Changelog: v2.2.0...v2.2.1

2.2.0

What's Changed

• Fixes 'gpg: invalid option "--pinentry-mode"' on GPG 2.0 by @winitzki in #197
• Fixes many typos by @xuwei-k in #189
• Updates dependencies by @xuwei-k in #193
• Adds testcase by @CTiPKA in #194
• Uses slash syntax by @xuwei-k in #190 and @eed3si9n in #196

New Contributors

• @CTiPKA made their first contribution in #194
• @winitzki made their first contribution in #197

Full Changelog: v2.1.2...v2.2.0

2.1.2

sbt-pgp 2.1.2 is identical to sbt-pgp 2.1.1, but published to Maven Central under a new organization name com.github.sbt:

addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")

sbt-pgp provides PGP signing for sbt.

2.1.1

This is identical to 2.1.0, but Bintray keeps failing to publish ivy.xml for sbt-pgp 2.1.0, so here's a new release.

gpg 2 support

sbt-pgp 2.1.1 adds support for gpg 2.1 and above. Previous to this fix, "Exit code: 2" was often reported on CI systems with gpg 2.1 and above:

[error] gpg: signing failed: No such file or directory
[error] gpg: signing failed: No such file or directory
[error] java.lang.RuntimeException: Failure running 'gpg --batch --passphrase **** --detach-sign --armor --use-agent --output /some/output/file /some/input/file.  Exit code: 2

This is because --passphrase option requires --pinentry-mode loopback options as well, which is not compatible with gpg 1.4. To fix this, sbt-pgp will attempt to detect the version number. #184 by @eed3si9n

note for automatic publishing

In addition to sbt-pgp 2.1.1, sbt-ci-release will require a similar change. To workaround that create a file named .github/decodekey.sh

#!/bin/bash

echo $PGP_SECRET | base64 --decode | gpg  --batch --import

2.1.0

2.1.0 failed to publish on Bintray, so please use 2.1.1 instead -

[error] (plugin / publishSigned) error uploading to com.jsuereth/sbt-pgp/scala_2.12/sbt_1.0/2.1.0/ivys/ivy.xml: <html>
[error] <head><title>405 Not Allowed</title></head>
[error] <body bgcolor="white">
[error] <center><h1>405 Not Allowed</h1></center>
[error] <hr><center>nginx</center>
[error] </body>
[error] </html>

2.0.2

sbt-pgp 2.0.2 fixes the long-standing annoyance #174, which printed stderr messages from gpg CLI as [error] log.

Before

sbt:test> signedArtifacts
[info] Wrote /path/to/sbt-pgp/src/sbt-test/sbt-pgp/credentials/target/scala-2.13/test_2.13-1.0.pom
[error] gpg: using "..." as default secret key for signing
[error] gpg: using "..." as default secret key for signing
[error] gpg: using "..." as default secret key for signing
[error] gpg: using "..." as default secret key for signing
[success] Total time: 1 s, completed 2020/10/18 17:39:40

After

sbt:test> signedArtifacts
[info] Wrote /path/to/sbt-pgp/src/sbt-test/sbt-pgp/credentials/target/scala-2.13/test_2.13-1.0.pom
[info] gpg: using "..." as default secret key for signing
[info] gpg: using "..." as default secret key for signing
[info] gpg: using "..." as default secret key for signing
[info] gpg: using "..." as default secret key for signing
[success] Total time: 1 s, completed 2020/10/18 17:40:33

This was contributed by Mitsuhiro Shibuya-san (@mshibuya) during ScalaMatsuri 2020 Day 2 OSS Hackathon.

2.0.1

sbt-pgp 2.0.1 provides an workaround for gpg command running out of memory when multiple artifacts are signed concurrently #168 / #171 by @eed3si9n

2.0.0

The documentation for sbt-pgp is moved to https://github.com/sbt/sbt-pgp (README on GitHub).

Breaking change: Default to use GnuPG (useGpg := true)

sbt-pgp 1.x had useGpg set to false, which used Bouncy Castle a Java library for signing etc.

Instead, sbt-pgp 2.0.0 flips the default to use the locally installed gpg.
#146 by @eed3si9n

This is overridable from the system property SBT_PGP_USE_GPG:

$ sbt -DSBT_PGP_USE_GPG=false

In addition, useGpgAgent setting also defaults to true, which should reduce the need to store passphrases in the plain.

Breaking change: Bouncy Castle mode is now deprecated

We no longer recommend the Bouncy Castle mode. Related, pgp-cmd command has been removed.
See Importing key pair on how to migrate old key pair into gpg.

Breaking change: camel case key name

sbt-pgp 1.x had camelCase in the build.sbt, but kebab-case in the sbt shell.
sbt-pgp 2.0.0 unifies them to camelCase.

Breaking change: package name change

The package name is changed from com.typesafe.sbt.pgp to com.jsuereth.sbtpgp to match the organization of the artifact. If the build user enables sbt-pgp 2.0.0 globally, this might show up as:

[error] /Users/xxx/work/playframework/project/BuildSettings.scala:7:21: object sbt is not a member of package com.typesafe
[error] import com.typesafe.sbt.pgp.PgpKeys
[error]                     ^

Signing Key

By default, all signing operations will use gpg's default key. Following the convention set by jodersky/sbt-gpg, specific key can now be used by setting sbt Credentials for the host "gpg", instead of usePgpKeyHex(...):

credentials += Credentials(
  "GnuPG Key ID",
  "gpg",
  "2BE67AC00D699E04E840B7FE29967E804D85663F", // key identifier
  "ignored" // this field is ignored; passwords are supplied by pinentry
)

pgpKeyRing key

Instead of reusing Bouncy Castle settings, sbt-pgp 2.0.0 adds a new optional key pgpKeyRing to override the key ring. This is set to None by default. #166 by @eed3si9n

PGP_PASSPHRASE environment variable

Following the convention set by olafurpg/sbt-ci-release, sbt-pgp 2.0.0 will automatically use the value set to PGP_PASSPHRASE as the passphrase. #165 by @eed3si9n

sbt-pgp 1.x has provided ways of storing passphrase using pgpPassphrase or in the credentials, but we no longer recommend using these methods on your laptop.

pinentry support

Adds a pinentry option to sbt-pgp, by using the --pinentry-mode loopback option.

Adds a useGpgPinentry boolean key that if set with useGpg and useGpgAgent set, will use a specialized signer CommandLineGpgPinentrySigner. #142 by @wsargent

Commits

v1.1.2...v2.0.0